Evolving Challenges in Information Security Management

By Prashanta Ghoshal, Global Head, ITES, Geometric Ltd

The expanding and all-pervasive adoption of IT for all functions and processes of human life coupled with the explosive growth in the number of IT based devices,while increasing the importance of a sound Information Security Management manifold, has also changed the complexion of the challenges and information security risks at a breakneck speed.

Some of the highlights of the changes are:
Globalization and Consumerization: Globalization of the workforce along with consumerization of IT has meant that the new generation of employees prefer to work on-the-go or work from locations and times of their own choice. Enterprises being able to fulfill these expectations stand to gain significant competitive advantage in terms of employee satisfaction and agility. However, these also bring in serious challenges to protecting the confidential information and Intellectual Property being handled by such a workforce. The traditional methods of enterprise-centric controls operating on the physical and network perimeter of enterprise are no longer effective.
SMAC based business: Emergence of Social, Mobility Analytics and Cloud (SMAC) based ways of business have completely rendered the traditional Enterprise boundary based controls ineffective. With a huge percentage of new computing and storage being added and served from public cloud instead of corporate data centers, new risks of data loss through social collaboration habits of people and data stored on external cloud based systems are emerging.

IOT: The IOT (Internet of things) revolution is turning many devices or utilities of day-to-day use from “dumb” hardware of electrical devices to “Smart” and then “Connected” devices. According to experts, there will be multiple billions of such smart and connected devices being added by 2020. Each one of them will have their own operating system and software application of some kind along with data connectivity. This will increase the surface area for potential attackers manifold along with becoming a nightmare for standardization due to heterogeneous nature of the devices, their software, their uses, as well as their production sources.

Evolving CyberCrime: The growing capabilities of Cyber Criminals, driven by the motive of financial gains from data theft and disruption; or simply for the visibility; or other Government or organization driven goals has almost levelled the technological playing field between the cyber predators and their prey.

All this paints quite a grim picture for Information Security Practitioners. Obviously, significant changes in approach are needed in order to address the evolving scenarios. However, on closer look the changes in spite of their cataclysmic appearance are just a next step in a long cycle based on the standard patterns of human behavior.

In the new world, most transactions, processes money and information handling is through IT systems, and therefore, as a logical progression the evolving crime incidences as well as their prevention will be based in the realm of IT systems.

While the technology providers struggle to maintain the security of IT environment and Governments and Regulators work on providing a strong framework of law enforcement in the cyber world, the key differentiator is the awareness and alertness of the individual towards his own information security vulnerabilities.

I would venture to say that just like people are expected to stay alert and use their good judgment in the physical world in order to protect their property and peace from criminals on the street, they are expected to exhibit similar behavior in their digital lives.

Now coming to the changes in approach needed from Information Security Practitioners, Enterprises and Cyber Law Enforcement authorities, the traditional principles of managing information security based on the triad of Confidentiality, Integrity and Availability (CIA) while being still valid, technically is no longer sufficient. Some researchers have suggested the necessity to complement these traditional pillars of security with the principles of RITE (Responsibility, Integrity, Trust and Ethicality). The technological responses are a given, and by itself will not provide sufficient protection from the security threats. Instead the frameworks needed are those like RITE that are based primarily on defined norms of human behavior agnostic of technology.

Technology providers, Enterprises and Regulators are adapting to these changes and there is no reason why they should not be able to cope with the changes as they have done in the past. The next generation of end users are being aptly described as ‘digital natives’ as opposed to being ‘digital migrants’ like the present generation have much greater awareness of the risks and the norms of safe digital behavior and thus will be able to deal with evolving Information Security landscape much better than what is being presently imagined.